Solved

Export SSL-Certifcate?

Posted on 2000-04-06
17
245 Views
Last Modified: 2013-12-25
I am using Microsofts IIS 4.0.
I need to export a SSL-Certificate from a Developer-Station to the working Server. I created a request-File received the certificate and completed the key.
I thought, I could easily install this certificate to another machine, so I deleted the key on the developer station.
Is there any way to reinstall the key on my developing station? Is there any way to install a certificate on another server?

db

0
Comment
Question by:db_tiger
  • 9
  • 8
17 Comments
 
LVL 9

Expert Comment

by:TTom
ID: 2693403
Who is providing your key?  Is it a commercial one?

I doubt that you can "legally" have the same key on two different machines (at least not in a production environment).  I am going over to the Verisign site today to see if I can get assistance in moving a key from one server to another.  Will get back when I have some more info.

Tom
0
 
LVL 1

Author Comment

by:db_tiger
ID: 2699758
Hy TTom,

I am working for a big (german) company - I think they provide the key by themselve: I had to produce the request file, gave it to some people in another section and two days later they gave the key back to me.

There should be a way to use a key on different machines, because we need it for the IIS in the middle tier, where we will use at least to physical servers. I doubt, that I'll need too SSL-certificates, because in every  document there is only mentioned a SSL-certificate.

db

Sorry for the delay, spend some days in vacation.

0
 
LVL 9

Expert Comment

by:TTom
ID: 2700075
Each server needs a key, and each key will have to be produced individually, since they rely on the machine name to function properly.

It may not be an absolute, but I think if you don't do it that way, the users will constantly receive notification that the names don't match.

Tom
0
 
LVL 1

Author Comment

by:db_tiger
ID: 2700250
I am really wondering about that. It's not just our app, but a lot of apps which rely on the same framework.
I can't imagine that all those apps need certificates for every server they use (bigger apps run on several servers, different apps run on same servers).
Do you know any link/documentation where I may get more information?

db
0
 
LVL 9

Expert Comment

by:TTom
ID: 2700437
I don't right off hand, but I do know that any time secure communication is required BETWEEN the client and the WEB SERVER, a certificate will be required.  The key is the web server.  As long as the URL is the same, the same web server will be establishing communication with the client, and, once established, communication will be secure.

https://www.myurl.com/myapp/mypage.htm
https://www.myurl.com/otherapp/another.htm

will only require 1 certificate, no matter where "myapp" and "otherapp" are located or what other information they call.

https://www.myurl.com/myapp/mypage.htm
https://www.other.com/myapp/mypage.htm

will probably require 2 certificates, even if "myapp" is the same information in both cases.

The key is how many web servers are being accessed/used.

HTH,

Tom
0
 
LVL 1

Author Comment

by:db_tiger
ID: 2700648
The called URL will be always

https://www.myurl.intranet.our-company.com

As I understood this URL will be served by more than one machine (kind of balancing). In our case there are about 30 users and they will use two WebServers resp. ApplcationServers - in other cases there are quite more Servers.

Beside that, I have although the problem, that I don't know the IP-adress or name of the server(s) on which the app will run.
If you are right, that the physical machine is the key, I don't really see how I'll be able to get this certificate. Probably I will have to generate the request file on the original server(s)!?

What I am wondering is, that I have some documents for this certificate, but there is nothing mentioned about this problems.

db

0
 
LVL 9

Expert Comment

by:TTom
ID: 2700790
The digital certificate for each web server can be requested and installed (I believe) through the MMC (Internet Service Manager), but it does require some level of "physical" access to the server (i.e, the certificate file must be on a drive which is accessible to the server).

All you will really need to know is the "friendly" name of the server(s), i.e. www.mycompany.com.  I do not think you will have a problem using the same friendly name for multiple servers, and you can probably use the same certificate file on each of them.  I have not verified that, however.

Perhaps if you determine exactly what the intent is with regard to producing these certificates (i.e., will you be using Cert Server), you could ask additional questions of the Microsoft newsgroups.

Tom
0
 
LVL 1

Author Comment

by:db_tiger
ID: 2703692
'...can be requested and installed (I believe) through the MMC... '

This is exactly one of my major problems: How to install the certificate on a different server.
There is only a menu to import/export (or to create) key in the MMC, no installing.
So probably I'll need to first export the certificate (whith the correct friendly name) from the developing server and then it may be possible to import the certifcate on the different server. Do you aggree?

And if I deleted the certificate on the developing station, I probably won't be able to reinstall it, will I?

db
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 9

Expert Comment

by:TTom
ID: 2703758
Although I do not have extensive experience in dealing with digital certificates, my impression is that as long as you have the actual certificate file you can reinstall it on the same server at any time.

As far as installing the certificate on a server goes, once the file is created, you can use the MMC to install the certificate.  There are options in MMC for creating a key request, installing a key, importing and exporting keys, etc.

The only thing that is clear is that the server must be able to "see" the file containing the certificate.  That will mean some sort of "direct" access, either local or remote.

Tom
0
 
LVL 1

Author Comment

by:db_tiger
ID: 2703956
But TTOM:
The option 'Install a Key Certificate' is only enabled if you choose a already existing Key - either a working one or one, that is waiting to be completed by a certificate.
Like that it is not possible, to reinstall a key, I tried it several times.

db

0
 
LVL 9

Accepted Solution

by:
TTom earned 100 total points
ID: 2704148
Since you are dealing with a M$ certificate (or an internal authority), what is the problem with generating a separate request and creating a new certificate for each machine?  You will still need to make the key file accessible to the target server.  Why bother with trying to use the same key file for multiple machines?  The request for each machine will need to be generated individually.

There is an option in MMC to Import a key, but that requires a set of key files generated by something other than Key Manager, and I am not at all familiar with it.

I suspect the bottom line is that once you have deleted a key from your machine, you will at least have to generate a new request.  Whether or not you can use that request to install the previously deleted key is not clear.  You will probably have to generate individual requests for each machine (web server) which requires a certificate.

Tom

0
 
LVL 1

Author Comment

by:db_tiger
ID: 2704315
I'll accept your last commment as an answer.
I'm seeing somehow clearer now, but I still don't really understand it. It's not my decision, to generate only one key, but I will find out somehow.

Thanks for your comments and  hints.

db
0
 
LVL 9

Expert Comment

by:TTom
ID: 2704374
Sorry not to be more helpful.  Just don't think that generating a single key is a viable solution.  Unfortunately, I'm afraid that the person(s) responsible for putting you in that situation don't really understand the issue (perhaps not as well as you).

Best of luck,

Tom
0
 
LVL 1

Author Comment

by:db_tiger
ID: 2704511
Read you.

db
0
 
LVL 1

Author Comment

by:db_tiger
ID: 2726663
Hy TTom,

just to step forward: Here is the way, how we do it.
We have the same virtual adress on different servers, as I mentioned -
https://www.myurl.intranet.our-company.com - and you are right, that on any server we may use the same certificate.

The certificate, to be transfered to this servers, can be generated on any other server - by generating the request file and completing the key with the certificate.
This certificate has to be EXPORTED in a 'BackupFile' and can then be IMPORTED on the target servers.

Because I did not know this and because I thought the certifcate would be somehow installed, I deleted the key on the developing machine where it is not used.
But this key can't be installed on another server, it can't even be reinstalled on the developping server, because the request-file is unique. So I had to go back and request a new certificate.

:-) db






 
0
 
LVL 9

Expert Comment

by:TTom
ID: 2726761
db:

I actually JUST got the same information from Verisign.  Apparently, the story is that when a key request is generated by IIS, a hidden file is created, which is unique to the request.  When you "export" the file (which produces a .key file), both the necessary files are accounted for.  You can then "import" the key to another machine.

FWIW, Verisign tells me that there is a way to transfer the key "directly", using MMC to attach to both servers at the same time.

However, they indicated that exporting the key is much easier.  The only caveat was to remember that the password for the key is NOT the same as the key phrase (although I don't remember whether the key phrase is a Verisign thing).

They also said, for some mysterious reason, that the success rate for exporting and importing keys is about 50%!!!

Thanks for the info, and best luck,

Tom
0
 
LVL 1

Author Comment

by:db_tiger
ID: 2726897
"They also said, for some mysterious reason, that the success rate for exporting and importing keys is about 50%!!! "

Unbelievable! But I had problems with the password. I tried it with a key on one machine and then it worked: Create request file, generate key, export key, delete key, import key per backup file and use same keyword - did work once.
But last week, there were some irregularity, I thought to have the wrong password...
Hope it will work again, when I use the 'real' certificate.

What's the keyphrase? I think it's a Versign thing, because I didn't hear/read about it. I always select a keyword when generatiung the request file and use exactly this one later.

Thanks for your confirmation and wish you nice work!
db
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Read about how to choose the best possible content marketing agency to suit your needs. Content marketing has become an integral part of running a successful tech business, so it is wise to be informed.
Are you using email marketing software? If not, you're missing out on effortless marketing and the reaching of desired conversion rates through email marketing software.
This video teaches users how to migrate an existing Wordpress website to a new domain.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now